Tuesday, March 12, 2013

We would like to think that the devices we purchase are things we own and control, and that the accounts we create in social-media space to represent us also belong to us. If schools loan laptops to kids, we assume that they're for the kids' own use and are not going to be used against them by school staff in some nefarious way.

But if you're tracking news on privacy and technology, you probably understand that these beliefs are ... well ... they're fantasy. Or at least they're old-school. Such assumptions are becoming less true over time.

Here are six ways your electronica and social-media providers own you.

FinSpy: who's tracking your every e-mail?

Tinfoil milliners, pay attention, please. Not that a hat would help in this case.

On 30 Aug 2012, the NY Times ran a story Software Meant to Fight Crime Is Used to Spy on Dissidents. The gist is that software is being used to spy on people that governments find ... inconvenient. This despite the software's purported intent: to help police in "a country that obeys the rule of law" to catch nasty people committing nasty crimes. From the NYT article, bold emphasis added:

The software proved to be the stuff of a spy film: it can grab images of computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The two men [featured in the article] said they discovered mobile versions of the spyware customized for all major mobile phones.But what made the software especially sophisticated was how well it avoided detection. Its creators specifically engineered it to elude antivirus software made by Kaspersky Lab, Symantec, F-Secure and others.The software has been identified as FinSpy, one of the more elusive spyware tools sold in the growing market of off-the-shelf computer surveillance technologies that give governments a sophisticated plug-in monitoring operation. Research now links it to servers in more than a dozen countries, including Turkmenistan, Brunei and Bahrain, although no government acknowledges using the software for surveillance purposes.The market for such technologies has grown to $5 billion a year from "nothing 10 years ago," said Jerry Lucas, president of TeleStrategies, the company behind ISS World, an annual surveillance show where law enforcement agents view the latest computer spyware.FinSpy is made by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations.

Among a bevy of patents awarded to Apple this week was one that would enable or disable certain features of a phone depending on its location. It could be useful, but it also raises serious questions about who really owns your device.The patent, "Apparatus and methods for enforcement of policies upon a wireless device," was pointed out by Apple Insider Thursday. It's similar to an application made public in 2011 that would use a sensor in the phone to detect whether it was allowed to take pictures or make calls. The new patent relies on GPS, cell tower or Wi-Fi data to determine location, and then "changing one or more functional or operational aspects" of the device.

What kinds of serious questions does this patent raise?

That same news-day, Mark Frauenfelder posted to BoingBoing an item titled Apple granted patent for location-based camera phone disabling. Frauenfelder quoted from the patent application describing the ability to apply "policies" to devices so that their function is limited or disabled in "sensitive locations," then observes (bold emphasis added):

I imagine movie theaters would be the first to use this remote disabling feature (if Apple ever decides to move ahead with this technology; just because they have a patent doesn't mean they'll use it). The paranoid side of me imagines governments using it to prevent citizens from communicating with each other or taking video during protests.

That's interesting, 'cuz that's what the 'paranoid' side of me imagines too. Maybe even the same sorts of governments who would pay six figures or more for the use of FinSpy.

Do you know whether your local school district is spying on your children tonight?

I didn't catch this story when it happened (I learned about it from a webcast I watched last month). The gist: a school district in suburban Pennsylvania loaned laptops to students in 2010, then used software installed on the laptops to spy on them. Yes, you read that right. To spy on children.

"Spy" in this case includes turning on the cameras while the kids were using their laptops at home, including in their bedrooms. Here's the gist from Wikipedia's article about the class action lawsuit brought in the matter, Robbins v. Lower Merion School District, sans extensive links to fascinating footnotes (bold emphasis added):

[...] in what was dubbed the "WebcamGate" scandal, the schools secretly spied on the students while they were in the privacy of their homes. School authorities surreptitiously and remotely activated webcams embedded in school-issued laptops the students were using at home. After the suit was brought, the school district, of which the two high schools are part, revealed that it had secretly snapped more than 66,000 images. The suit charged that in doing so the district infringed on its students' privacy rights. A federal judge issued a preliminary injunction, ordering the school district to stop its secret webcam monitoring, and ordered the district to pay the plaintiffs' attorney fees.

Fast forward to last week, when Quentin Hardy blogged on the NY Times that your phone's WiFi antenna is being used to monitor your movements in certain stores, from when you enter 'til when you leave, capturing where in the store you go (and thus what merchandise you're checking out), and how long you stay. This monitoring happens whether or not you're using your device to connect to the internet, or to make a phone call. Nope. That phone you're carrying, unused, in a pocket or purse or backpack is reporting on you in any case. From 7 March 2013, in Technology Turns to Tracking People Offline (bold emphasis added below):

The big initial use is the so-called bounce rate, or the percentage of people who come into the store who leave without making a purchase. But the technology also helps stores make sure that there is enough sales help or that enough registers are open. By seeing how people move in a store, retailers can also better determine where to place low-profit and high-profit items.

[...]

Computers are already recognizing people moving around, both voluntarily and involuntarily. [...] at a conference in Santa Monica, Calif., held by the Montgomery and Company investment firm [...] a company called Omnilink, which makes ankle devices for people under home arrest, talked about plans to expand into monitoring elders, children, workers on their own in the field and the infirm.

Even Deans at Harvard get their e-mail secretly inspected. Why should you be immune?

Can you imagine a more august and privileged group of individuals, a group of individuals to whom more deference is paid, than the faculty of Harvard University? I mean, okay: short of England's royal family, or Donald Trump when he's surrounded by trembling toadies.

Well, deference didn't stop Harvard's administrators from secretly spying on 16 faculty members who hold the role of "resident deans" ... nope, those nosy administrators wormed their way into the professors' e-mail accounts, looking to unmask a suspected 'culprit' who shared information with the press about a cheating scandal. From the NY Times, dateline 10 March 2013, Harvard E-Mail Search Stuns Its Faculty Members:

"I think what the administration did was creepy," said Mary C. Waters, a sociology professor, adding that "this action violates the trust I once had that Harvard would never do such a thing."[...] Though some professors were disinclined to speak to a reporter, they showed less restraint online, where sites were buzzing with the news, and several professors said the topic dominated the faculty’s private conversations.On his blog, which is closely followed by many people at Harvard, Dr. [Harry R.] Lewis[, a professor and former dean of Harvard College,] called the administration’s handling of the search "dishonorable," and, like some of his colleagues, said the episode would prompt him to do less of his communication through his Harvard e-mail account, and more through a private account.

I hope Professor Lewis's idea of "a private account" isn't one provisioned by a behemoth like Google or Microsoft. You've got to figure that these companies are going to pay even less deference to Harvard faculty than the administrators at Harvard University. And it's pretty hard to imagine that all the Harvard faculty who follow Lewis' example are going to read the fine-print Terms of Service that pretty much nobody but the folks at the Electronic Frontier Foundation reads anyway.

Google Glass: Who's Watching Whom???

Everybody from CNN to CNET to TechCrunch is gushing over the latest news about Google Glass, a wearable interface to the greatest data farm on Earth, livestreaming data to and from your eyeglasses to ... wherever. At the SXSW show yesterday, Google spoke to developers about the interface -- the Mirror API -- that programmers will use to build apps for Google Glass.

As part of today’s presentation, Jordan also detailed some Glass apps Google has been working on itself, and apps that some of its partners have created. The New York Times app, for example, shows headlines and then lets you listen to the full article by telling Glass to “read aloud.” Google’s own Gmail app uses voice recognition to answer emails (and it obviously shows you incoming mail, as well). Evernote’s Skitch can be used to take and share photos, and Jordan also showed a demo of social network Path running on Glass to share your location.

A bar in Seattle has already generated buzz in tech communities with a preemptive strike against Google Glass. The proprietor doesn't want patrons to have to worry that someone with Google Glasses might be snapping photos. His patrons come in for privacy and he wants to keep it that way.That may have been nothing more than a publicity stunt but it portends a greater problem for Google Glass. When the general public becomes aware of Google Glass and exactly what it does, expect to see a lot of reactions similar to that of the Seattle bar owner.

Is this a matter of your devices owning you, or of someone else's devices owning you? Well, both actually. When that Google Glass wearing minions pass you on the sidewalk, you're the data being streamed to Google and ... wherever. But once s/he has passed? Everything the glass-wearer does, everywhere she goes, whatever she says to whomever: combine that with FinSpy or the WebcamGate software and everything about that glass-wearer is tracked and analyzed, by agents and for reasons over which s/he has zero control.

Google Glass is expected to begin rolling out to software developers and others later this year.

Are you feeling like somebody's looking over your shoulder?

Bottom line: Today somebody just might be peeking out of your pocket. Next year, warnings to beware the evil eye will begin to take on whole new data dimensions of meaning.